From 95b16f40f4199aa27ef27fcdff09e9031dd95219 Mon Sep 17 00:00:00 2001
From: Tim Rix <ter@mit.edu>
Date: Thu, 7 May 2026 15:01:40 -0400
Subject: [PATCH 1/3] Adjust workflow command

---
 .github/workflows/dev-build.yml    | 2 +-
 .github/workflows/prod-promote.yml | 2 +-
 .github/workflows/stage-build.yml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
index 2f66f83..bc1d3ce 100644
--- a/.github/workflows/dev-build.yml
+++ b/.github/workflows/dev-build.yml
@@ -16,7 +16,7 @@ on:
 jobs:
   deploy:
     name: Dev Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@INFRA-526
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
diff --git a/.github/workflows/prod-promote.yml b/.github/workflows/prod-promote.yml
index d1741d1..a1c0f68 100644
--- a/.github/workflows/prod-promote.yml
+++ b/.github/workflows/prod-promote.yml
@@ -15,7 +15,7 @@ on:
 jobs:
   deploy:
     name: Prod Container Promote
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@INFRA-526
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml
index f7a5fc7..c318a01 100644
--- a/.github/workflows/stage-build.yml
+++ b/.github/workflows/stage-build.yml
@@ -17,7 +17,7 @@ on:
 jobs:
   deploy:
     name: Stage Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@INFRA-526
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"

From f544407846d00eb100dd20592e4dc891a408e832 Mon Sep 17 00:00:00 2001
From: Tim Rix <ter@mit.edu>
Date: Thu, 7 May 2026 16:15:50 -0400
Subject: [PATCH 2/3] INFRA-1746 Update workflows

---
 .github/workflows/dev-build.yml    | 19 +++++++++++--------
 .github/workflows/prod-promote.yml | 24 ++++++++++--------------
 .github/workflows/stage-build.yml  | 23 ++++++++++++-----------
 3 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
index bc1d3ce..bcc46b1 100644
--- a/.github/workflows/dev-build.yml
+++ b/.github/workflows/dev-build.yml
@@ -1,10 +1,6 @@
 ### This is the Terraform-generated dev-build.yml workflow for the          ###
 ### docker-matomo-dev app repository.                                       ###
-name: Dev Container Build and Deploy
-
-# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
-# NOTE: The above checkov skip command doesn't actually work and this workflow
-#       will always show a checkov warning.
+name: Dev Build and Push ECR Image
 on:
   workflow_dispatch:
   pull_request:
@@ -13,12 +9,19 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  deploy:
-    name: Dev Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
+  build-push:
+    name: Dev Build and Push Image
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-dev"
       ECR: "docker-matomo-dev"
+      # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
+      # FUNCTION: "" # only if this is a container-based Lambda function
+      # PREBUILD:  # only if there is some pre-build dependency
diff --git a/.github/workflows/prod-promote.yml b/.github/workflows/prod-promote.yml
index a1c0f68..66af25c 100644
--- a/.github/workflows/prod-promote.yml
+++ b/.github/workflows/prod-promote.yml
@@ -1,27 +1,23 @@
 ### This is the Terraform-generated prod-promote.yml workflow for the       ###
 ### docker-matomo-prod repository.                                          ###
 
-name: Prod Container Promote
-
-# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
-# NOTE: The above checkov skip command doesn't actually work and this workflow
-#       will always show a checkov warning.
-
+name: Prod Promote Image
 on:
   workflow_dispatch:
   release:
     types: [published]
 
 jobs:
-  deploy:
-    name: Prod Container Promote
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
+  promote:
+    name: Prod Promote Container
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
-      GHA_ROLE_STAGE: docker-matomo-gha-stage
-      GHA_ROLE_PROD: docker-matomo-gha-prod
-      ECR_STAGE: "docker-matomo-stage"
+      GHA_ROLE_STAGE: "docker-matomo-gha-prod"
+      GHA_ROLE_PROD: "docker-matomo-gha-prod"
+      ECR_STAGE: "docker-matomo-prod"
       ECR_PROD: "docker-matomo-prod"
-      # FUNCTION: ""
- 
\ No newline at end of file
+      # DEFAULT_BRANCH: # Only if the default branch is not "main"!
+      # FUNCTION: "" # only if this is a container-based Lambda function
+      
\ No newline at end of file
diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml
index c318a01..2a9b421 100644
--- a/.github/workflows/stage-build.yml
+++ b/.github/workflows/stage-build.yml
@@ -1,11 +1,6 @@
 ### This is the Terraform-generated dev-build.yml workflow for the          ###
 ### docker-matomo-stage app repository.                                     ###
-name: Stage Container Build and Deploy
-
-# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
-# NOTE: The above checkov skip command doesn't actually work and this workflow
-#       will always show a checkov warning.
-
+name: Stage Build and Push ECR Image
 on:
   workflow_dispatch:
   push:
@@ -14,13 +9,19 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  deploy:
-    name: Stage Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
+  build-push:
+    name: Stage Build and Push Image
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-stage"
-      ECR: "docker-matomo-stage"
- 
+      ECR: ""docker-matomo-stage"
+      # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
+      # FUNCTION: "" # only if this is a container-based Lambda function
+      # PREBUILD:  # only if there is some pre-build dependency 

From 45572235141d40773078da5b0fc4d47f6785b1cf Mon Sep 17 00:00:00 2001
From: Tim Rix <ter@mit.edu>
Date: Thu, 7 May 2026 16:44:44 -0400
Subject: [PATCH 3/3] Fix typo in stage-build.yaml

---
 .github/workflows/stage-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml
index 2a9b421..a1e588c 100644
--- a/.github/workflows/stage-build.yml
+++ b/.github/workflows/stage-build.yml
@@ -21,7 +21,7 @@ jobs:
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-stage"
-      ECR: ""docker-matomo-stage"
+      ECR: "docker-matomo-stage"
       # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
       # FUNCTION: "" # only if this is a container-based Lambda function
       # PREBUILD:  # only if there is some pre-build dependency